Entra ID - Device registration - Require MFA

Question

Hi There,

I have conditional access policies for enforcing MFA during device registration with Entra Id. The policy is currently in report-only mode and during the monitoring phase, it didnt show up any user hits or impact.

Keen to know what all can be the possible reasons for this behaviour. Is it because the devices are auto registered ?

Appreciate any pointers.

Thanks

Answer 1

Hi @robcool

Thank you for posting this in Microsoft Q&A.

Report-only mode is a feature in Entra Conditional Access that allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. When a policy is in report-only mode, it is evaluated during sign-in, but the policy is not enforced. Instead, the results of the policy evaluation are logged in the Conditional Access and Report-only tabs of the Sign-in log details. Report-only mode is useful for testing and evaluating the impact of Conditional Access policies before enforcing them in your environment. It allows you to identify any potential issues or conflicts that may arise when the policy is enforced, without actually impacting end-users.

For more information: Conditional Access report-only mode

In order to enforce MFA during device registration with Entra Id, conditional access policies need to be enabled. Make sure to select the "ON" option under Enable policy. After enabling the policy, it will work as you configured it in the CA policy.

Reference: https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

Hope this helps. Do let us know if you any further queries

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.